Skip to content

chore: Migrate publishing to GHA, consolidate CI workflows #879

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
lucasmcdonald3 wants to merge 18 commits into
base: master
Choose a base branch
from
Open

chore: Migrate publishing to GHA, consolidate CI workflows #879

Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
6c71f61
m
Nov 21, 2025
131fded
m
Nov 21, 2025
fc95c8e
m
Nov 21, 2025
88d6359
m
Nov 21, 2025
1b99627
m
Nov 21, 2025
80016a0
m
Nov 21, 2025
c23f1bd
m
Nov 21, 2025
d9f322c
m
Nov 21, 2025
4b1d15a
m
Nov 21, 2025
b8fa035
m
Nov 21, 2025
b2db653
m
Nov 21, 2025
e8c6d92
m
Nov 21, 2025
6f7ace1
test published
Nov 21, 2025
43fb081
m
Nov 21, 2025
468d928
m
Nov 21, 2025
e980b4c
m
Nov 21, 2025
d2f1c05
m
Nov 21, 2025
10d46e4
Potential fix for code scanning alert no. 11: Workflow does not conta…
lucasmcdonald3 Nov 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 0 additions & 25 deletions .github/workflows/ci-unit-tests.yaml
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion .github/workflows/daily_ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,4 @@

jobs:
daily-ci-js-helpers:
uses: ./.github/workflows/ci-unit-tests.yaml
uses: ./.github/workflows/shared-ci.yml

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 21 days ago

To fix the problem, you should add an explicit permissions block to the workflow. Ideally, place it at the top/root level (directly under the name: and above the on: key) so it applies to all jobs not specifying their own permissions. If only read access to repository contents and metadata is required, set it as:

permissions:
  contents: read

If your jobs require more privileges, you can expand this as needed. In this case, since jobs are not detailed and just call another workflow, it's safest to start with a minimal read permission as suggested. You should edit the .github/workflows/daily_ci.yaml file, after the name: key and before on:, to include this block.

Suggested changeset 1
.github/workflows/daily_ci.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/daily_ci.yaml b/.github/workflows/daily_ci.yaml
--- a/.github/workflows/daily_ci.yaml
+++ b/.github/workflows/daily_ci.yaml
@@ -1,5 +1,7 @@
 # This workflow runs every weekday at 15:00 UTC (8AM PDT)
 name: Daily CI
+permissions:
+  contents: read
 
 on:
   schedule:
EOF
@@ -1,5 +1,7 @@
# This workflow runs every weekday at 15:00 UTC (8AM PDT)
name: Daily CI
permissions:
contents: read

on:
schedule:
Copilot is powered by AI and may make mistakes. Always verify output.
91 changes: 91 additions & 0 deletions .github/workflows/prod-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
name: Release
permissions:
contents: read
id-token: write

on:
workflow_dispatch:
inputs:
version_bump:
required: false
description: '[Optional] Override semantic versioning with explict version (allowed values: "patch", "minor", "major", or explicit version)'
default: ''
dist_tag:
description: 'NPM distribution tag'
required: false
default: 'latest'
branch:
description: 'The branch to release from'
required: false
default: 'master'

env:
NODE_OPTIONS: "--max-old-space-size=4096"
NPM_CONFIG_UNSAFE_PERM: true

jobs:
pre-release-ci:
uses: ./.github/workflows/shared-ci.yml

# Once all tests have passed, run semantic versioning
version:
runs-on: ubuntu-latest
needs: [pre-release-ci]
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}

- name: Setup Node.js 20
uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'

- name: Install dependencies
run: npm ci --unsafe-perm

- name: Configure git
env:
BRANCH: ${{ github.event.inputs.branch }}
run: |
git config --global user.name "aws-crypto-tools-ci-bot"
git config --global user.email "[email protected]"
git checkout $BRANCH

- name: Version packages and push
env:
VERSION_BUMP: ${{ github.event.inputs.version_bump }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# Generate new version and CHANGELOG entry and push it
npx lerna version --conventional-commits --git-remote origin --yes ${VERSION_BUMP:+$VERSION_BUMP --force-publish}
# Log the commit for posterity
git log -n 1

publish:
runs-on: ubuntu-latest
needs: [pre-release-ci, version]
steps:
- uses: actions/checkout@v4

- uses: actions/setup-node@v4
with:
node-version: '20'
registry-url: 'https://registry.npmjs.org'

# Ensure npm 11.5.1 or later is installed
- name: Update npm
run: npm install -g npm@latest
- run: npm ci --unsafe-perm
- run: npm run build --if-present
- run: npx lerna publish from-package --yes --dist-tag ${{ github.event.inputs.dist_tag }}

# Once publishing is complete, validate that the published packages are useable
validate:
uses: ./.github/workflows/shared-ci.yml
needs: [publish]
with:
test-published-packages: true
12 changes: 11 additions & 1 deletion .github/workflows/pull.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,14 @@

jobs:
pr-ci-js-helpers-test:
uses: ./.github/workflows/ci-unit-tests.yaml
uses: ./.github/workflows/shared-ci.yml
pr-ci-all-required:
if: always()
needs:
- pr-ci-js-helpers-test
runs-on: ubuntu-22.04
steps:
- name: Verify all required jobs passed
uses: re-actors/alls-green@release/v1
with:
jobs: ${{ toJSON(needs) }}
2 changes: 1 addition & 1 deletion .github/workflows/push.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,4 @@

jobs:
push-ci-js-helpers-test:
uses: ./.github/workflows/ci-unit-tests.yaml
uses: ./.github/workflows/shared-ci.yml

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 21 days ago

To fix this, add a permissions: block at the workflow root (before on:) in .github/workflows/push.yaml to grant only the minimum permissions required for the jobs in this workflow. Since the workflow simply uses a reusable workflow, unless more granular permissions are needed, a starting point is to set contents: read, which is the most restrictive typical value for read-only operations. If more permissions are required by the reused workflow, those can be added (but based only on what is shown, start with contents: read). This is accomplished by editing .github/workflows/push.yaml and inserting the permissions block after the workflow name.

Suggested changeset 1
.github/workflows/push.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml
--- a/.github/workflows/push.yaml
+++ b/.github/workflows/push.yaml
@@ -1,5 +1,7 @@
 # This workflow runs for every push to master
 name: Push CI
+permissions:
+  contents: read
 
 on:
   push:
EOF
@@ -1,5 +1,7 @@
# This workflow runs for every push to master
name: Push CI
permissions:
contents: read

on:
push:
Copilot is powered by AI and may make mistakes. Always verify output.
61 changes: 61 additions & 0 deletions .github/workflows/shared-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
name: Shared CI Tests

on:
workflow_call:
inputs:
test-published-packages:
description: 'Test against published packages instead of checked out code'
required: false
type: boolean
default: false

env:
NODE_OPTIONS: "--max-old-space-size=4096"
NPM_CONFIG_UNSAFE_PERM: true

jobs:
ci-unit-tests:
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
node: ["18.x", "20.x", "22.x", "latest"]
steps:
- uses: actions/checkout@v4

- name: Setup Node.js ${{ matrix.node }}
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node }}
cache: 'npm'

# - name: Configure AWS Credentials for Tests
# uses: aws-actions/configure-aws-credentials@v4
# with:
# aws-region: us-west-2
# role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2
# role-session-name: JavaScriptTests

- name: Install dependencies
run: npm ci --unsafe-perm

- name: Build (for source code testing)
if: ${{ !inputs.test-published-packages }}
run: npm run build

# Run vector tests for all CI runs (Ubuntu only)
- name: Publish locally for vector tests
if: ${{ !inputs.test-published-packages && matrix.os == 'ubuntu-latest' }}
run: npm run verdaccio-publish

- run: npm test

- name: Run vector tests (local packages)
if: ${{ !inputs.test-published-packages && matrix.os == 'ubuntu-latest' }}
run: npm run verdaccio-verify-publish -- ci

# Run vector tests against published packages (release workflow validation, Ubuntu only)
- name: Run vector tests (published packages)
if: ${{ inputs.test-published-packages && matrix.os == 'ubuntu-latest' }}
run: npm run verdaccio-verify-publish -- public
Comment on lines 18 to 59

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 21 days ago

The best way to fix this issue is to add a permissions block to the workflow to restrict the permissions of the GITHUB_TOKEN, adhering to the principle of least privilege. Because the workflow is for CI unit tests and does not appear to require write access to the repository, the minimal permission required is likely contents: read. This block can be added either at the workflow root (applies to all jobs unless overridden) or directly to the ci-unit-tests job. Adhering to current best practices, it's most appropriate to add it at the workflow top level, immediately after the name: line and before on:. No further code changes or external dependencies are required beyond this addition.

Suggested changeset 1
.github/workflows/shared-ci.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/shared-ci.yml b/.github/workflows/shared-ci.yml
--- a/.github/workflows/shared-ci.yml
+++ b/.github/workflows/shared-ci.yml
@@ -1,4 +1,6 @@
 name: Shared CI Tests
+permissions:
+  contents: read
 
 on:
   workflow_call:
EOF
@@ -1,4 +1,6 @@
name: Shared CI Tests
permissions:
contents: read

on:
workflow_call:
Copilot is powered by AI and may make mistakes. Always verify output.
36 changes: 26 additions & 10 deletions util/local_verdaccio_publish
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,7 @@
// but now the portability problems loom large.

const { spawn, execSync } = require('child_process')
const { readFileSync } = require('fs')
const pipeStdIo = { stdio: [process.stdin, process.stdout, process.stderr] }
const { workspaces } = JSON.parse(readFileSync("package.json", 'utf8'))

// Always clear storage so the latest versions are published
// I am not worried about _what_ version number is published
Expand All @@ -24,6 +22,12 @@ const verdaccio = spawn('npx', ['verdaccio', '-c', 'verdaccio/config.yaml'], pip
.on('error', e => {
throw e
})
.on('close', (code, signal) => {
console.log(`verdaccio process closed with code ${code} or signal ${signal}`);
})
.on('exit', (code, signal) => {
console.log(`verdaccio process exited with code ${code} or signal ${signal}`);
})

// Publish all changed packages the local verdaccio server.
// Anything that has not been changed will match what is in npm
Expand All @@ -37,21 +41,33 @@ const args = [
'--no-git-reset',
'--preid', 'ci',
'--no-verify-access',
'--force-publish'
'--force-publish',
'--loglevel', 'warn',
'--no-progress'
]
spawn('npx', args, pipeStdIo)
.on('close', (code) => {
// Kill the background verdaccio server
verdaccio.kill()

timeout = 60000 * 2
console.log(`Starting lerna publish with timeout of ${timeout}`);
spawn('npx', args, {
stdio: [process.stdin, process.stdout, process.stderr],
timeout: timeout
}).on('close', (code, signal) => {
console.log(`lerna terminated due to receipt of signal ${signal} or code ${code}`);
// The above command will make some modifications,
// Roll them back
// Ideally, we would find a way to not have to do this
workspaces.forEach(workspace => execSync(`git checkout -- ${workspace}/package.json`))
execSync('git checkout -- modules/**/package.json')
execSync('git checkout -- lerna.json')
execSync('git restore package-lock.json')

// Kill the background verdaccio server
verdaccioKilledStatus = verdaccio.kill()
console.log(`killing Verdaccio returned ${verdaccioKilledStatus}`);

// If this command had an error,
// we need to forward this.
// Otherwise the entire CI build may think that things succeeded.
if (code !== 0) throw Error(`Exit code: ${code}`)
})

process.exit()
})

Loading